This is a bit off the topic of the thread, but since we are
talking about using BIND DNS with AD I'll go ahead and ask. Has anyone
figured out a good way of delegating the update DNS right to your DCs? At
my company the DNS admins are on a completely different team and getting them to
manage the ACLs is a real pain. I'd love to use TSIG or something along
those lines but as far as I can tell this is not supported in
windows.
Any suggestions?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 7:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
True,
I've had the same experience with SQL and Kerberos.
On the bright side the issues forced all of our server admins to understand
Kerberos and engage my team to make sure that it's working
properly.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 6:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
SQL Server has all sorts of dorked up issues with SPNs, you
have to always check them anyway. Someone was on crack that worked out that
functionality for SQL Server, I have had my share of arguments with PSS over
that. Instead of trying to do things through the computer account they do
things through the admin installing the service who often doesn't have the
appropriate rights in AD.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
Not only is being able to register it important, but also
that DNS resolves to the correct SPN. Let's say you have a SQL server that
is a member of the us.widget.net domain; however, in DNS it is registered as
sql1.sea.widget.net. If you look in AD it's likely that the SPN registered
will be: MSSql/sql1.us.widget.net. So when a user attempts to get a
service ticket, they will pass sql.sea.widget.net and it will fail and the
user will use NTLM auth instead. So if you're going to use a different DNS
domain model (like we do at my company, we us QIP with regionalized domains)
then make sure your SPNs match up.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
The permission mod you need to make is to correct this.
Again, disjoint namespace works fine in the core OS. The
issues that crop up are around poorly written/tested
applications.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
If you're also talking about servers don't forget that by
default computers register their SPN using the AD domain name. So if
you have a server that registers HOST/someserver.myadname.net and the server
actually resolves to someserver.mydnszone.net Kerberos will not work for the
clients that try to connect using the DNS name.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Tuesday, March 29, 2005 7:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Compelling arguments?
Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.
Any thoughts welcome.
